Commerce Department Rule Seeks to Bar Sales of Hacking Software, Gear to Repressive Regimes

FCC Commissioner seeks to impose restrictions on Chinese drone maker, Widely used spyware can expose sensitive files on targeted phones,

To dampen the sale of hacking tools to repressive regimes, the Commerce Department announced a new rule that would bar sales of hacking software and equipment to China and Russia without a license from the department’s Bureau of Industry and Security (BIS).

The rule is slated to take effect in 90 days and would cover software such as Pegasus, a spyware product sold by the Israeli firm NSO Group to governments that have used it to spy on dissidents and journalists. However, under the complex rule, software intended for cyber defense purposes, such as penetration testing, sold to nongovernment persons, is exempted from needing a license. The rule aligns the United States with the 42 European and other allies that are members of the Wassenaar Arrangement, which sets voluntary export control policies on military and dual-use technologies. (Ellen Nakashima / Washington Post)

Related: Commerce Department, Federal Register

Republican FCC Commissioner Brendan Carr says he wants the agency to impose restrictions on Chinese drone maker SZ DJI Technology by placing it on the"Covered List" that would prohibit U.S. Universal Service Fund money from being used to purchase its equipment.

"DJI drones and the surveillance technology on board these systems are collecting vast amounts of sensitive data-everything from high-resolution images of critical infrastructure to facial recognition technology and remote sensors that can measure an individual’s body temperature and heart rate," Carr said in a statement. "We do not need an airborne version of Huawei." (David Shepardson / Reuters)

Related: Washington Free Beacon, InsideCyberSecurity.com, South China Morning Post, BGR

Vulnerabilities in widely used consumer-grade spyware can expose all records, text messages, photos, browsing history, precise geolocations, and call recordings on targeted phones.

TechCrunch repeatedly attempted to inform the developer and the company that hosts the spyware of the flaws but received no responses. (Zack Whittaker / TechCrunch)

Related: iTech Post, Gadgets Now, IBTimes India, Techradar

According to ThycoticCentrify’s 2021 State of Ransomware Survey & Report, 64% of 300 IT decision-makers have been victims of a ransomware attack in the last 12 months, and 83% of those attack victims paid the ransom demand.

Of those decision-makers surveyed, 72% have seen cybersecurity budgets increase due to ransomware threats, and 93% are allocating special budgets to fight ransomware threats. (Jonathan Greig / ZDNet)

Related: MSSP Alert, Dark Reading, Security Magazine, Channel Futures, ZDNet, Thycotic

Privacy-oriented browser Brave has booted Google as its search engine in favor of the encrypted DuckDuckGo search engine in the US, UK, and Canada. Brave will replace Google with DuckDuckGo in Germany and France in the next several months.

Brave has also launched a Web Discovery Project that lets volunteers contribute data to improve Brave Search's overall quality. (Jon Fingas / Engadget)

Related: SlashGear, gHacks, GBHackers On Security, CSO Online, MacRumors, The Verge, Slashdot, Fudzilla, Softpedia News, Thurrott

Justin Sean Johnson, also known as TheDearthStar and Dearthy Star, was sentenced to seven years in prison for the 2014 hack of the human resource databases of health care provider and insurer University of Pittsburgh Medical Center (UPMC).

Johnson stole the Personally Identifiable Information (PII) of more than 65,000 UPMC employees. He then sold the stolen information on dark web forums for use by conspirators, who promptly filed hundreds of false 1040 tax returns in 2014 using UPMC employee PII. (Sergiu Gatlan / Bleeping Computer)

Related: Infosecurity Magazine, SecureNews, Justice.gov, Tribune Review, Patch

Exploit broker Zerodium announced its intention to buy zero-day vulnerabilities in the Windows clients of three of the biggest VPN providers: ExpressVPN, NordVPN, and Surfshark.

The companies manage a network of thousands of proxy servers across the globe that reroute their customers’ web traffic to disguise their users’ actual location. (Catalin Cimpanu / The Record)

Related: Bleeping Computer, VPN Compare

Share Metacurity

Chicago-based Ferrara Candy Co, which makes Brach’s Candy Corn and brands like Nerds, Laffy Taffy, Keebler, and Famous Amos, has been hit with a ransomware attack that has hampered its production.

Despite the attack, the company says its supply of Halloween favorite candy corn should not be disrupted. “We have resumed production in select manufacturing facilities, and we are shipping from all of our distribution centers across the country, near to capacity. We are also now working to process all orders in our queue,” the company said. (Lauren Zumbach / Chicago Tribune)

Related: Crain’s, The Takeout, Ad Age, Chicago Sun-Times

Thai police say they will investigate a recent case of online banking fraud involving unauthorized online transactions that affected over 40,000 people and resulted in a 130 million baht (USD 3.9 million) loss.

“The main cause is that scammers randomly collect card data and use it to fake transactions through foreign online stores without using one-time passwords. Around 10,700 cards were misused as a result of the incidents, with most of them being debit cards,” representatives of the Bank of Thailand and the Thai Bankers Association said. (Stephanie Pearl Li / KrASIA)

Related: Bangkok Post, Thai Examiner

Australia’s Morrison government will move forward with new laws requiring businesses to report when they are under cyber-attack and, in extreme cases, allow Australian officials, through the Australian Signals Directorate, to “step in” to help fend off hackers.

However, the government plans to delay other critical infrastructure legislation elements, including imposing additional “positive security obligations” for critical infrastructure assets. (Daniel Hurst / Guardian)

Related: IT News, 7News, Cointelegraph, Daily Mail

SASE platform provider Cato Networks has raised $200 million in a venture financing round.

Lightspeed Venture Partners led the round with the participation of existing investors Greylock, Aspect Ventures / Acrew Capital, Coatue, Singtel Innov8, and Shlomo Kramer. (Ofir Dor / Globes)

Related: Security Week, Dark Reading, SC Magazine, Cato Networks

Consumer all-in-one digital security provider has raised $200 million in a Series F venture funding round.

Madrone Capital Partners led the round, joined by cybersecurity specialists TenEleven Ventures, General Catalyst, and WndrCo. Warburg Pincus and Accel also contributed to the round. (Maria Deutscher / Silicon Angle)

Related: PR Newswire

Endpoint prevention, detection, and response company Cybereason has raised $50 million in an extension to its $275 million Series F venture funding round.

The investment came from Google Cloud. (Kyle Wiggers / Venture Beat)

Related: Silicon Angle

Threat detection marketplace provider SOC Prime has raised $12 million in Series A venture funding.

DNX Ventures led the round with participation from Streamlined Ventures and Rembrandt Venture Partners. (Carly Page / TechCrunch)

Related: Help Net Security

Follow Us on Twitter

Breach and attack simulating company Picus has raised $24 million in a Series B funding round.

Turkven led the round with participation from existing investors, Earlybird Venture Capital, and cyber security veteran Nathan Dornbrook. (Tech.eu)

Related: PR Newswire

Photo by Brandon Mowinkel on Unsplash